Privacy Policy
Extension: TASK Mail Lens – AI Email Summary for Gmail
Last updated: May 25, 2026
Google API Services User Data Policy (Limited Use)
TASK Mail Lens's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
1. What Data We Collect and Why
TASK Mail Lens is designed to prioritize your privacy. We collect the absolute minimum data required for the extension to function.
- Email Content (DOM reading): The extension runs a content script on
https://mail.google.com/* to read the subject line, sender address, and body preview of the email you are currently viewing. This is strictly required to generate an AI summary. For paid (Pro) users, this metadata is transiently transmitted to our Cloudflare proxy for processing and is not logged or stored on our servers. For free/BYOK users, it is sent directly from your browser to the Google Gemini API.
- Calendar Data: If you grant Calendar permissions, we request the
calendar.events OAuth scope. This allows the extension to create calendar events based on emails directly from your Gmail interface. We do not read, store, or share your existing calendar events with any third party.
- Google Profile (OAuth users): We access your basic Google profile (email address) solely for authentication and subscription management via Chrome Identity API.
- Account Registration (custom auth users): If you register with an email address and password instead of Google Sign-In, we collect your email address, display name, a SHA-256 hash of your password, and your account creation timestamp. All of this data is stored exclusively on your local device via
chrome.storage.local and is never transmitted to our servers.
2. How Data is Processed
To generate email summaries, the extension securely transmits the text of your email to one of the following, depending on your plan:
- Google Gemini API (generativelanguage.googleapis.com): Used by free/BYOK users to generate the AI summary directly. This data is subject to Google's Privacy Policy. Google does not use data submitted via the Gemini API to train its models.
- Cloudflare Workers proxy (mail-lens-proxy.jnhorta2005.workers.dev): Used by paid (Pro) users. We route API requests through a secure proxy to avoid exposing API keys. The proxy transmits your email content to the Gemini API and returns the result. The proxy does not log, store, or retain the content of your emails or generated summaries. The proxy stores your Google user ID in Cloudflare KV solely for rate-limiting purposes.
3. Password Recovery
When you request a password reset for a custom-auth account, a temporary one-time verification code is generated and sent to your email address via our Cloudflare proxy. The code is stored transiently on the proxy server for the duration of the verification window (typically a few minutes) and is automatically discarded after use or expiry. No email content is stored during this process.
4. Data Storage and Retention
- Local storage: Email summaries, tags, settings, account credentials (hashed password, email, name), and session tokens are stored locally in
chrome.storage.local on your device. This data never leaves your browser except as described in Section 2. You can clear this data at any time via the extension settings or by uninstalling the extension.
- Retention: Cached email summaries and tags are stored locally until you explicitly clear them via the extension settings, or until you uninstall the extension. Custom-auth account data is stored indefinitely until you delete your account. Google OAuth session tokens are managed by Chrome and expire automatically.
- Cloudflare KV (server-side): For paid (Pro) users, our Cloudflare Worker stores per-user rate-limit counters (requests per minute and per day) in Cloudflare KV, keyed by an anonymised user identifier. These counters expire automatically — per-minute counters after 2 minutes, per-day counters after 48 hours. No email content is stored in Cloudflare KV.
- Uninstalling the extension: Uninstalling TASK Mail Lens from Chrome permanently removes all locally stored data, including cached summaries, tags, settings, and account credentials. Server-side rate-limit counters in Cloudflare KV expire on their own schedule (see above) and require no manual action.
- Deletion: To delete your account and all associated local data, use the "Delete Account" option in the extension settings, or uninstall the extension to remove all locally stored data. To request deletion of any data held by third-party services (ExtensionPay, Google), please follow their respective deletion procedures.
5. Authentication and Security
- Google OAuth: We use Chrome's built-in Identity API (
chrome.identity) to securely obtain a Google OAuth token. We never see, intercept, or store your Google password.
- Custom authentication: Passwords are hashed with SHA-256 before storage in
chrome.storage.local. The plaintext password is never stored or transmitted.
- Transit encryption: All data in transit between your browser, our proxy, and Google's APIs is encrypted using HTTPS (TLS).
6. Third-Party Services
We rely on the following trusted third-party services to provide our core features:
- Google (Gemini API, Calendar API): For AI processing and calendar event creation.
- Cloudflare Workers: Hosts our API proxy for paid users. Cloudflare may log request metadata (IP, timestamps) per their standard infrastructure practices. See Cloudflare's Privacy Policy.
- ExtensionPay: Handles subscription verification and payment processing. ExtensionPay may collect your email address to manage your subscription. Please review ExtensionPay's Privacy Policy.
7. Data Sharing and Selling
We do not sell, rent, or trade your personal data. We do not share your data with any third parties beyond those explicitly required to provide the core functionality of the extension (Google Gemini, Google Calendar, Cloudflare, and ExtensionPay).
8. User Rights
You have the right to:
- Access: Request a summary of the data we hold about you by contacting us at the address below.
- Delete: Delete your local account data via the extension settings, or uninstall the extension to remove all locally stored data.
- Revoke Google access: Visit Google Account Permissions and remove TASK Mail Lens at any time.
- Port: Your locally stored data (summaries, tags) can be exported via the extension settings.
9. User Consent and Changes
By using TASK Mail Lens, you consent to this privacy policy. We may update this policy from time to time. Material changes will be communicated via an in-extension notice. Continued use after changes constitutes acceptance of the updated policy.
10. Contact Us
If you have any questions or concerns about this Privacy Policy or your data, please contact us at: jnhorta2005@gmail.com